Go Getter
CVE-2022-29810
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
AnalysisAI
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-532. The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. Affected products include: Hashicorp Go-Getter. Version information: before 1.5.11.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. Rated
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of cus
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configura
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Rated high severity (CVSS 8.6),
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP response
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and com
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Rated medium severity (CVSS 6.5), this v
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized rea
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today